Parameters¶

This page documents customer-facing configuration parameters available in compose.yaml.

Minimum Memory Baseline¶

For production environments, allocate at least 4 GB RAM per container for:

Identity Operations Platform web
Identity Operations Platform worker
Identity Operations Platform leadworker
PostgreSQL database

In practice, this means:

Set IOP_MEM_LIMIT to at least 4096m (covers web, worker, leadworker, and other Identity Operations Platform base services).
Set DATABASE_MEM_LIMIT to at least 4096m.
Size *_MEMSWAP_LIMIT accordingly, based on your swap strategy.

The platform has been tested with significantly lower resource limits as well. However, the values in compose.yaml are intended as production recommendations for small to medium-sized environments.

To increase background processing throughput, scale worker capacity horizontally by running additional worker containers (for example additional worker replicas). This is usually the safest way to increase worker performance before raising per-container CPU and memory limits. When calculating required host capacity, account for this explicitly as approximately 4 GB RAM per worker container.

How CPU and Memory Parameters Affect Container Resources¶

The production compose file uses four important resource controls:

*_CPUS (cpus): absolute CPU quota per container.
*_CPU_SHARES (cpu_shares): relative CPU priority when containers contend for CPU.
*_MEM_LIMIT (mem_limit): hard RAM cap for a container.
*_MEMSWAP_LIMIT (memswap_limit): combined RAM + swap cap.

Practical tuning guidance:

Start with conservative limits and monitor actual usage (docker stats, host metrics, APM).
Increase *_CPUS to reduce sustained CPU throttling.
Use *_CPU_SHARES to prioritize critical services under contention.
Keep *_MEM_LIMIT above normal peak usage to avoid OOM kills.
Set *_MEMSWAP_LIMIT intentionally; too much swap can hide pressure but add latency.

Parameters¶

AAF_LOGIN_EVENT¶

Sets the event name used by the OpenText Advanced Authentication login flow. Use a stable value that matches your authentication event naming in logs and downstream integrations.

Example

AAF_LOGIN_EVENT=<VALUE>

Default

AAF_LOGIN_EVENT=Helpdesk

CORS_ALLOW_ORIGIN¶

Regular expression used to validate allowed browser origins for CORS. Restrict this as tightly as possible in production to reduce cross-origin attack surface.

Example

CORS_ALLOW_ORIGIN=<VALUE>

Default

CORS_ALLOW_ORIGIN='^https?://(localhost|127\.0\.0\.1)(:[0-9]+)?$'

DATABASE_BACKUP_FREQUENCY¶

Backup interval in seconds for the pgBackRest backup loop. Lower values increase backup frequency (better RPO) but consume more I/O and storage.

Example

DATABASE_BACKUP_FREQUENCY=<VALUE>

Default

DATABASE_BACKUP_FREQUENCY=3600

DATABASE_CPUS¶

Hard CPU quota for the database container (cpus). This limits how much CPU time the container can consume (for example 1.0 ≈ one vCPU, 0.5 ≈ half a vCPU, 2.0 ≈ two vCPUs). Use this to cap peak CPU usage and protect other services on the same host.

Example

DATABASE_CPUS=<VALUE>

Default

DATABASE_CPUS=1.0

DATABASE_CPU_SHARES¶

Relative CPU weight for the database container (cpu_shares). This is applied when multiple containers compete for CPU. Higher values give the container a larger share under contention, but do not create a hard cap by themselves.

Example

DATABASE_CPU_SHARES=<VALUE>

Default

DATABASE_CPU_SHARES=1024

DATABASE_DB¶

Primary PostgreSQL database name used by Identity Operations Platform and related services.

Example

DATABASE_DB=<VALUE>

Default

DATABASE_DB=iop

DATABASE_HOST¶

Hostname of the PostgreSQL service from the Identity Operations Platform containers' perspective.

Example

DATABASE_HOST=<VALUE>

Default

DATABASE_HOST=database

DATABASE_MEMSWAP_LIMIT¶

Combined memory + swap limit for the database container (memswap_limit). If swap is available, this controls total addressable memory beyond RAM. Set this carefully to avoid either uncontrolled swap thrashing (too high) or early OOM kills (too low).

Example

DATABASE_MEMSWAP_LIMIT=<VALUE>

Default

DATABASE_MEMSWAP_LIMIT=1024m

DATABASE_MEM_LIMIT¶

Hard memory limit for the database container (mem_limit). When exceeded, the container can be OOM-killed. Tune according to PostgreSQL workload size, shared buffers, and expected concurrency.

Example

DATABASE_MEM_LIMIT=<VALUE>

Default

DATABASE_MEM_LIMIT=1024m

DATABASE_PORT¶

TCP port used by PostgreSQL.

Example

DATABASE_PORT=<VALUE>

Default

DATABASE_PORT=5432

DATABASE_SHM_SIZE¶

Size of /dev/shm for the database container. PostgreSQL can benefit from sufficient shared memory for internal operations.

Example

DATABASE_SHM_SIZE=<VALUE>

Default

DATABASE_SHM_SIZE=2g

MONOLOG_LEVEL¶

Sets the Monolog threshold used by the Identity Operations Platform containers. Valid values are standard Monolog levels such as debug, info, notice, warning, error, critical, alert, and emergency.

Example

MONOLOG_LEVEL=<VALUE>

Default

MONOLOG_LEVEL=error

DATABASE_STANZA¶

pgBackRest stanza name used by backup, check, and restore components. Keep this consistent across all pgBackRest-related services.

Example

DATABASE_STANZA=<VALUE>

Default

DATABASE_STANZA=iop

DATABASE_USER¶

Database username used by Identity Operations Platform for PostgreSQL connections.

Example

DATABASE_USER=<VALUE>

Default

DATABASE_USER=iop

ECHOHUB_COOKIE_NAME¶

Cookie name used by Echohub authentication. Keep stable to avoid breaking active browser sessions.

Example

ECHOHUB_COOKIE_NAME=<VALUE>

Default

ECHOHUB_COOKIE_NAME=_echohub_auth_cookie

ECHOHUB_JWT_AUDIENCE¶

Expected JWT audience for Echohub token validation.

Example

ECHOHUB_JWT_AUDIENCE=<VALUE>

Default

ECHOHUB_JWT_AUDIENCE=echohub

ECHOHUB_JWT_ISSUER¶

JWT issuer value used by Echohub token validation.

Example

ECHOHUB_JWT_ISSUER=<VALUE>

Default

ECHOHUB_JWT_ISSUER=https://example.com

ECHOHUB_SUBSCRIBER_PREFIX¶

Prefix for subscriber identifiers in Echohub channels/topics.

Example

ECHOHUB_SUBSCRIBER_PREFIX=<VALUE>

Default

ECHOHUB_SUBSCRIBER_PREFIX=echohub_user_

ECHOHUB_TURBO_PREFIX¶

Prefix used for Turbo-related topic naming in Echohub.

Example

ECHOHUB_TURBO_PREFIX=<VALUE>

Default

ECHOHUB_TURBO_PREFIX=echohub_turbo_

ENABLE_SETUP¶

Enables setup mode. This should normally be false after initial installation is completed.

Example

ENABLE_SETUP=<VALUE>

Default

ENABLE_SETUP=false

HTTPS_PORT¶

Published HTTPS port for the web container on the host.

Example

HTTPS_PORT=<VALUE>

Default

HTTPS_PORT=9443

HTTP_PORT¶

Published HTTP port for the web container on the host.

Example

HTTP_PORT=<VALUE>

Default

HTTP_PORT=9080

HTTP_PROXY_NO_PROXY¶

Comma-separated hosts/domains that should bypass the configured HTTP proxy.

Example

HTTP_PROXY_NO_PROXY=<VALUE>

Default

HTTP_PROXY_NO_PROXY=

HTTP_PROXY_URL¶

Outbound HTTP proxy URL used by application requests where proxying is required.

Example

HTTP_PROXY_URL=<VALUE>

Default

HTTP_PROXY_URL=

IOP_CPUS¶

Hard CPU quota for Identity Operations Platform base services (web, worker, scheduler, etc.) via cpus. Use this to cap total CPU usage per container. Example: 0.5 limits a service to about half a CPU core; 2.0 allows up to two cores.

Example

IOP_CPUS=<VALUE>

Default

IOP_CPUS=1.0

IOP_CPU_SHARES¶

Relative CPU weight for Identity Operations Platform base services (cpu_shares). This mainly matters under CPU contention. Increase it when Identity Operations Platform services should win CPU scheduling over less critical containers.

Example

IOP_CPU_SHARES=<VALUE>

Default

IOP_CPU_SHARES=1024

IOP_MEMSWAP_LIMIT¶

Combined memory + swap limit for Identity Operations Platform base services. This controls total memory pressure behavior when swap is enabled.

Example

IOP_MEMSWAP_LIMIT=<VALUE>

Default

IOP_MEMSWAP_LIMIT=1024m

IOP_MEM_LIMIT¶

Hard memory limit for Identity Operations Platform base services. Size this with enough headroom for peak workload to avoid OOM events.

Example

IOP_MEM_LIMIT=<VALUE>

Default

IOP_MEM_LIMIT=1024m

PLATFORM_TOKEN_ISSUER_URL¶

Issuer URL used when validating platform tokens. Must match the externally reachable issuer expected by token consumers.

Example

PLATFORM_TOKEN_ISSUER_URL=<VALUE>

Default

PLATFORM_TOKEN_ISSUER_URL=https://idp.example.com

RABBITMQ_CPUS¶

Hard CPU quota for RabbitMQ (cpus). Use this to bound message broker CPU consumption and protect host capacity.

Example

RABBITMQ_CPUS=<VALUE>

Default

RABBITMQ_CPUS=1.0

RABBITMQ_CPU_SHARES¶

Relative CPU weight for RabbitMQ (cpu_shares). Higher values prioritize RabbitMQ when containers compete for CPU.

Example

RABBITMQ_CPU_SHARES=<VALUE>

Default

RABBITMQ_CPU_SHARES=512

RABBITMQ_MEMSWAP_LIMIT¶

Combined memory + swap limit for RabbitMQ.

Example

RABBITMQ_MEMSWAP_LIMIT=<VALUE>

Default

RABBITMQ_MEMSWAP_LIMIT=1024m

RABBITMQ_MEM_LIMIT¶

Hard memory limit for RabbitMQ. Undersizing can trigger memory alarms and throughput degradation.

Example

RABBITMQ_MEM_LIMIT=<VALUE>

Default

RABBITMQ_MEM_LIMIT=1024m

RABBITMQ_PORT¶

AMQP port used by application services to connect to RabbitMQ.

Example

RABBITMQ_PORT=<VALUE>

Default

RABBITMQ_PORT=5672

RABBITMQ_USER¶

RabbitMQ application username used by Identity Operations Platform services.

Example

RABBITMQ_USER=<VALUE>

Default

RABBITMQ_USER=iop

RECHOHUB_CPUS¶

Hard CPU quota for Echohub (cpus).

Example

RECHOHUB_CPUS=<VALUE>

Default

RECHOHUB_CPUS=1.0

RECHOHUB_CPU_SHARES¶

Relative CPU weight for Echohub under contention (cpu_shares).

Example

RECHOHUB_CPU_SHARES=<VALUE>

Default

RECHOHUB_CPU_SHARES=512

RECHOHUB_MEMSWAP_LIMIT¶

Combined memory + swap limit for Echohub.

Example

RECHOHUB_MEMSWAP_LIMIT=<VALUE>

Default

RECHOHUB_MEMSWAP_LIMIT=512m

RECHOHUB_MEM_LIMIT¶

Hard memory limit for Echohub.

Example

RECHOHUB_MEM_LIMIT=<VALUE>

Default

RECHOHUB_MEM_LIMIT=512m

REDIS_CPUS¶

Hard CPU quota for Redis/Valkey (cpus). Tune according to cache throughput and latency requirements.

Example

REDIS_CPUS=<VALUE>

Default

REDIS_CPUS=1.0

REDIS_CPU_SHARES¶

Relative CPU weight for Redis/Valkey (cpu_shares) when host CPU is contended.

Example

REDIS_CPU_SHARES=<VALUE>

Default

REDIS_CPU_SHARES=512

REDIS_MEMSWAP_LIMIT¶

Combined memory + swap limit for Redis/Valkey.

Example

REDIS_MEMSWAP_LIMIT=<VALUE>

Default

REDIS_MEMSWAP_LIMIT=1024m

REDIS_MEM_LIMIT¶

Hard memory limit for Redis/Valkey. Ensure this aligns with your keyspace size and eviction policy expectations.

Example

REDIS_MEM_LIMIT=<VALUE>

Default

REDIS_MEM_LIMIT=1024m

SENTRY_DSN¶

Sentry DSN for error reporting. Leave empty to disable Sentry event shipping.

Example

SENTRY_DSN=<VALUE>

Default

SENTRY_DSN=

SENTRY_ENVIRONMENT¶

Environment label sent to Sentry (for example prod, staging).

Example

SENTRY_ENVIRONMENT=<VALUE>

Default

SENTRY_ENVIRONMENT=prod

SHOW_VERSION_NUMBER¶

Controls whether the application version is displayed in the UI.

Example

SHOW_VERSION_NUMBER=<VALUE>

Default

SHOW_VERSION_NUMBER=false

SYNC_USER_SOURCES_BATCH_SIZE¶

Batch size for user-source synchronization jobs. Larger values can improve throughput but increase per-batch load.

Example

SYNC_USER_SOURCES_BATCH_SIZE=<VALUE>

Default

SYNC_USER_SOURCES_BATCH_SIZE=500

TRACE_CAPTURE_ENABLED¶

Enables/disables trace capture in Identity Operations Platform.

Example

TRACE_CAPTURE_ENABLED=<VALUE>

Default

TRACE_CAPTURE_ENABLED=false

TRUSTED_PROXIES¶

Comma-separated CIDRs of trusted reverse proxies. Required for safe handling of forwarded headers.

Example

TRUSTED_PROXIES=<VALUE>

Default

TRUSTED_PROXIES=172.16.0.0/12,10.0.0.0/8,192.168.0.0/16